- Cloud identity
- Synchronized identity
- Federated identity
Out of these, security concerned organizations most of the time opt in to using federated identities. This helps them in having a greater control over how users authenticate and use cloud services. When it comes to federated identities, Active Directory Federation Services (AD FS) is a primary choice for many customers. However, there are other third party identity providers that can be used to enable federated identities with Office 365.
The most basic model that uses Azure Active Directory to create and manage users and their credentials. This mode is best suited for small organizations who doesn’t have enough budget to maintain on-premises infrastructure.
Most common sign-on model implemented in place by many organization who has an on-premises identity provider, most commonly Active Directory. Identities are managed on-premises and requires Azure Active Directory Connector to synchronize accounts and password hash to Azure Active Directory.
This is implemented with synchronized identity model, but without the password hash synchronization. With this model, user authentication is verified by the on premises identity provider. To federate identities, you can use Active Directory Federation Services (AD FS) or a third party federation service provider. Also, this model helps you further control and/or to limit accessing Office 365 services by your users.
These identity models are capable of switching between each other and Microsoft recommends that you implement the most simplest model that meets your requirement. I will not be discussing in detail about these sign-in models and when to chose them in this blog post. There’s a well written blog post over at Office Blogs which you can access by clicking here.
I have put together a document with step by step instructions on how to deploy AD FS 3.0 and integrating it with Office 365 for the purpose of authentication. You can access the document over at the TechNet Gallery by clicking here.